Backtracking EMAIL Messages

[SlaX]

Tracking email back to its source: Twisted Evil

Ask most people how they determine who sent them an email message and the response is almost universally, "By the From line." Unfortunately this symptomatic of the current confusion among internet users as to where particular messages come from and who is spreading spam and viruses. The "From" header is little more than a courtesy to the person receiving the message. People spreading spam and viruses are rarely courteous. In short, if there is any question about where a particular email message came from the safe bet is to assume the "From" header is forged.

So how do you determine where a message actually came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host. A more detailed essay on reading email headers can be found .

If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.

Below are listed the headers of an actual spam message I received. I've changed my email address and the name of my server for obvious reasons. I've also double spaced the headers to make them more readable.


Return-Path: <[email protected]>

X-Original-To: [email protected]

Delivered-To: [email protected]

Received: from 12-218-172-108.client.mchsi.com (12-218-172-108.client.mchsi.com [12.218.172.108])
by mailhost.example.com (Postfix) with SMTP id 1F9B8511C7
for <[email protected]>; Sun, 16 Nov 2003 09:50:37 -0800 (PST)

Received: from (HELO 0udjou) [193.12.169.0] by 12-218-172-108.client.mchsi.com with ESMTP id <536806-74276>; Sun, 16 Nov 2003 19:42:31 +0200

Message-ID: <[email protected]>

From: "Maricela Paulson" <[email protected]>

Reply-To: "Maricela Paulson" <[email protected]>

To: [email protected]

Subject: STOP-PAYING For Your PAY-PER-VIEW, Movie Channels, Mature Channels...isha

Date: Sun, 16 Nov 2003 19:42:31 +0200

X-Mailer: Internet Mail Service (5.5.2650.21)

X-Priority: 3

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032 088448"


According to the From header this message is from Maricela Paulson at [email protected]. I could just fire off a message to [email protected], but that would be waste of time. This message didn't come from yahoo's email service.

The header most likely to be useful in determining the actual source of an email message is the Received header. According to the top-most Received header this message was received from the host 12-218-172-108.client.mchsi.com with the ip address of 21.218.172.108 by my server mailhost.example.com. An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host 0udjou with the ip 193.12.169.0. Those of you who know anything about IP will realize that that is not a valid host IP address. In addition, any hostname that ends in client.mchsi.com is unlikely to be an authorized email server. This has every sign of being a cracked client system.


Here's is where we start digging. By default Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do your own checking.

davar@nqh9k:[/home/davar] $whois 12.218.172.108

AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Mediacom Communications Corp MEDIACOMCC-12-218-168-0-FLANDREAU-MN (NET-12-218-168-0-1)
12.218.168.0 - 12.218.175.255

# ARIN WHOIS database, last updated 2003-12-31 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

I can also verify the hostname of the remote server by using nslookup, although in this particular instance, my email server has already provided both the IP address and the hostname.

davar@nqh9k:[/home/davar] $nslookup 12.218.172.108

Server: localhost
Address: 127.0.0.1

Name: 12-218-172-108.client.mchsi.com
Address: 12.218.172.108

Ok, whois shows that Mediacom Communications owns that netblock and nslookup confirms the address to hostname mapping of the remote server,12-218-172-108.client.mchsi.com. If I preface a www in front of the domain name portion and plug that into my web browser, http://www.mchsi.com, I get Mediacom's web site.

There are few things more embarrassing to me than firing off an angry message to someone who is supposedly responsible for a problem, and being wrong. By double checking who owns the remote host's IP address using two different tools (whois and nslookup) I minimize the chance of making myself look like an idiot.

A quick glance at the web site and it appears they are an ISP. Now if I copy the entire message including the headers into a new email message and send it to [email protected] with a short message explaining the situation, they may do something about it.

But what about Maricela Paulson? There really is no way to determine who sent a message, the best you can hope for is to find out what host sent it. Even in the case of a PGP signed messages there is no guarantee that one particular person actually pressed the send button. Obviously determining who the actual sender of an email message is much more involved than reading the From header. Hopefully this example may be of some use to other forum regulars.

 

[Carding]

How is e-mail tracked?​

Regardless of whether you are trying to track someone or tracking any of the user's actions and activities (possibly in an email campaign), the methods are the same/similar. Email tracking actions:

email tracking (if it is opened / read)

event tracking (if the link is clicked)

Recipient's IP address

DISCLAIMER:
This article is presented for informational purposes only and does not carry a call to action. All information is aimed at protecting readers from illegal actions.

Email tracking: how email is tracked
Simplified, by putting an image in the email content (HTML), the sender can track some of the previously mentioned parameters (open emails, links, IP addresses, etc.). the Image is often invisible, a single-pixel GIF (called a web beacon). Opening an email will cause an image to be downloaded from the remote server, which will result in the "open email" being detected or the recipient's IP address being tracked (in some cases).

In large email campaigns, in order to distinguish between users and emails, the name of the uploaded image (or its parameters) usually contains some information related to the user (ID, hash, etc.). in addition, you can place a link in the email message ("Start here", "Track", etc.) And track the frequency of user responses or the success rate of the email campaign (sent emails or opened emails and click rate).

Example of email tracking (PoC)
We need to include a single pixel of the GIF/image in the email via an image link, for example:

/webbeacon.php"
/>
" data-translation="/webbeacon.php"
/>
" data-type="trSpan"><img src="https://<TARGET_DOMAIN>/webbeacon.php"
/>

To create a single-pixel web beacon GIF/image in PHP (webbeacon.php):

<?php echo base64_decode ("R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw =="); ?>

Further, to send email, we can use the system mail configuration and sendmail. First, define the email content (HTML):

From: <Source/System Email Address>
To: <Target Email Address You're Going TO Track>
Subject: Tracking Email Example
Mime-Version: 1.0
Content-Type: text/html

<h1>Test Email Example</h1>
The mail body.
/webbeacon." data-translation="/webbeacon." data-type="trSpan"><img src=" https://<TARGET_DOMAIN>/webbeacon.php" />

Then send this content to the sendmail command:

$ cat content.html | sendmail -t

When the user receives this email, the email client usually calls for an image request, or in this case webbeacon.php. The image will not be visible, but the request will still be triggered.

At the same time, you can track whether an email is open, or catch the recipient's IP address. To track an event (such as a click on a link), you need to add it to the content and configure / create a new PHP file to process it.

Note: some email providers/clients may cache the image (for a month), so additional emails may not trigger the "web beacon" fetch.

Email tracking and email client support
The market share of email clients is surprisingly leaning towards Apple. Rough estimate of current market share:

• Apple Combined: iPhone / iPad / Apple Mail (42%)
• GMail (30%)
• Outlook / Hotmail (10%)
• Yahoo (6%)
• Google android (3%)
• Samsung Mail (1%)
• etc.

To return to the previous point, email tracking is not supported by all email clients. To confirm this manually, we can send an email to any of these clients and monitor the web server log file (apache/nginx). The log will clearly show which email clients "enable" tracking and which do not.

Tracking Apple iPhone mail
Opening an email in the IPhone mail client results in the following output in the web server log::

xxx. xxx.xxx. xxx - - [21 / Sep / 2019: 23: 58: 43 +0000] "GET /webbeacon.php HTTP / 2.0" 200 28299 " - "" Mozilla / 5.0 (iPhone; iPhone OS processor 12_4_1) as Mac OS X) AppleWebKit / 605.1.15 (KHTML as Gecko) Mobile / 15E148 "

Although the email belongs to Google (@gmail.com), we get the correct IP address of the target IPhone / Network ( xxx.xxx.xxx.xxx ). Apparently, no preprocessing is taking place by the Google MX servers. Mail client processing is completely independent.

• Email (open/ read): Yes
• Event: Yes
• Recipient's IP address: Yes

Google mail tracking (Gmail)
Opening an email in Gmail:

66.249.81.157 - - [21 / Sep / 2019: 23: 58: 44 +0000] "GET /webbeacon.php HTTP / 1.1" 200 61 "-" "Mozilla / 5.0 (Windows NT 5.1; rv: 11.0) Gecko Firefox /11.0 (across ggpht.com GoogleImageProxy) "

Google uses a proxy to get deleted images (GoogleImageProxy), so it can't specify the recipient's IP address. 66.249.81.157 is a proxy IP in Google.

• Email (open read): Yes
• Event: Yes
• Recipient's IP: none

Tracking Outlook mail (Hotmail)
Open email via the Hotmail / outlook web client:

xxx.xxx.xxx.xxx - - [21 / Sep / 2019: 23: 58: 45 +0000] "GET /webbeacon.php HTTP / 2.0" 200 150 "https://outlook.live.com/" "Mozilla /5.0 (Windows NT 6.3; Win64; x64) AppleWebKit / 537.36 (KHTML, as Gecko) Chrome / 76.0.3809.132 Safari / 537.36 "

In this case, we get the recipient's public IP address ( xxx. xxx.xxx.xxx )

• Email (open/ read): Yes
• Event: Yes
• Recipient's IP: Yes

Tracking Yahoo mail
Opening an email via a Yahoo mail account:

212.82.108.87 - - [21 / Sep / 2019: 23: 58: 46 +0000] "GET /webbeacon.php HTTP / 1.1" 200 61 "-" "YahooMailProxy; https://help.yahoo.com/kb/ Yahoo mail прокси-SLN28749.html»

Yahoo also uses a proxy to get remote images (YahooMailProxy), so it can't provide the recipient's IP address. 212.82.108.87 is a proxy IP in Google.

• Email (open/ read): Yes
• Event: Yes
• Recipient's IP: none

Tracking other / private email clients
When it comes to some popular clients (rainloop, roundcube), uploading remote images is "disabled" by default (doesn't work), with the "Display external images" option that users can choose manually (making it all work).

xxx.xxx.xxx.xxx - - [21 / Sep / 2019: 23: 59: 48 +0000] "GET /test.php HTTP / 2.0" 200 150 "https: // www. <DOMAIN> .com / mail / "" Mozilla / 5.0 (Windows NT 6.1; Win64; x64) AppleWebKit / 537.36 (KHTML, как Gecko) Chrome / 76.0.3809.132 Safari / 537.36 "

• Email (open/read): Yes
• Event: Yes
• Recipient's IP address: Yes

Email JavaScript Support [Additional information]
In addition to email tracking, JavaScript execution poses a significant security vulnerability. Protocol or explicit script address (RFC2854, in text / html format) supports JS:

In addition, the introduction of scripting languages and interactive features in HTML 4.0 has led to a number of security risks associated with the automatic execution of programs written by the sender but interpreted by the recipient. User agents running such scripts or programs must be extremely careful to ensure that untrusted software runs in a secure environment.

But fortunately, this is usually not supported by email clients. Some users reported that Thunderbird 52.4.0 with the "Original HTML" setting ignored JS < script> document. write('Test alert'); <script></script> in test emails. The same thing happened with Outlook for Android 2.2.44, K-9 for Android 5.208, the Gmail web mail program (tested 06.11.2017) and the Roundcube web mail program 0.9.5. so, in General, or for most (modern) clients, JS does not work.

Conclusion
Aside from potential stalkers and/or spammers abusing this, trying to find you or confirm that your email address is active, this is a pretty useful skill to have in your skill set.

Either way, we should all know about it.

Just by opening an email, in some email clients/applications, you can indicate your location to the sender, confirm that your email address is active, or simply that you have seen this email. Since the protocol "resolves" JS, in some clients, an attacker can potentially even gain access to the email account (session theft). Additionally, by obtaining the recipient's IP address, you can, depending on your social engineering skills, potentially convince ISPs to disclose the user's real address. Numerous dangers, no doubt.

We're all lazy, but we should pay a little more attention to this, especially if someone is "hiding" (from an abusive husband) or perhaps doing something "illegal" (by tracking the shelter your wife lives in). We all need to check if our email clients support image/JS disabling options. If not explicitly, we might try to find tools that do this (support for extensions, libraries, etc.), Or we might end up modifying the email client and find one that doesn't allow email tracking (either implicitly or explicitly via options).